ProblemYou have been asked to configure sendmail to grant relaying privileges to STARTTLS clients that present a certificate signed by a trusted certificate authority. SolutionMake sure that OpenSSL is installed as described in Introduction and that sendmail is compiled with STARTTLS support as shown in Recipe 1.6 and Recipe 1.7. Identify each trusted certificate authority in the access database using CERTISSUER : entries. The key field of each entry begins with the CERTISSUER : tag followed by the distinguished name of the CA. The return value of the entry is the keyword RELAY , indicating that any host presenting a certificate signed by the trusted CA is granted relaying privileges. Create a STARTTLS sendmail configuration and add the access_db feature. Here are samples of the defines that configure STARTTLS and the FEATURE macro that enables the access database: dnl Point to the CA certificate directory define(`confCACERT_PATH', `/etc/mail/certs') dnl Point to the root CA's certificate define(`confCACERT', `/etc/mail/certs/cacert.pem') dnl Point to the certificate used for inbound connections define(`confSERVER_CERT', `/etc/mail/certs/cert.pem') dnl Point to the private key used for inbound connections define(`confSERVER_KEY', `/etc/mail/certs/key.pem') dnl Point to the certificate used for outbound connections define(`confCLIENT_CERT', `/etc/mail/certs/cert.pem') dnl Point to the private key used for outbound connections define(`confCLIENT_KEY', `/etc/mail/certs/key.pem') dnl Enable the access database FEATURE(`access_db') Rebuild the sendmail.cf file, copy the new sendmail.cf file to /etc/mail , and restart sendmail. Recipe 1.8 provides an example of these steps. DiscussionTLS can provide strong authentication of the end points and encryption of the data stream. Despite these important security features, establishing a STARTTLS connection is not, by itself, enough to grant relaying privileges. A test shows this: # sendmail -Am -v -t To: craig@crab.wrotethebook.com From: craig@rodent.wrotethebook.com Subject: Attempt to relay after successful TLS connection Ctrl-D craig@crab.wrotethebook.com... Connecting to chef.wrotethebook.com. via relay... 220 chef.wrotethebook.com ESMTP Sendmail 8.12.9/8.12.9; Fri, 22 Aug 2003 12:01:37 - 0400 >>> EHLO rodent.wrotethebook.com 250-chef.wrotethebook.com Hello rodent.wrotethebook.com [192.168.0.3], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-EXPN 250-VERB 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH DIGEST-MD5 CRAM-MD5 250-STARTTLS 250-DELIVERBY 250 HELP >>> STARTTLS 220 2.0.0 Ready to start TLS >>> EHLO rodent.wrotethebook.com 250-chef.wrotethebook.com Hello rodent.wrotethebook.com [192.168.0.3], pleased to meet you 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-EXPN 250-VERB 250-8BITMIME 250-SIZE 250-DSN 250-ETRN 250-AUTH EXTERNAL DIGEST-MD5 CRAM-MD5 250-DELIVERBY 250 HELP >>> MAIL From:<craig@rodent.wrotethebook.com> SIZE=102 AUTH=craig@rodent. wrotethebook.com 250 2.1.0 <craig@rodent.wrotethebook.com>... Sender ok >>> RCPT To:<craig@crab.wrotethebook.com> >>> DATA 550 5.7.1 <craig@crab.wrotethebook.com>... Relaying denied 503 5.0.0 Need RCPT (recipient) >>> RSET 250 2.0.0 Reset state craig... Connecting to local... craig... Sent Closing connection to chef.wrotethebook.com. >>> QUIT 221 2.0.0 chef.wrotethebook.com closing connection In response to the first EHLO command, the server advertises STARTTLS . The client then issues a STARTTLS command, and the server responds that it is ready. This indicates that an encrypted session will start. The second EHLO command is the first SMTP command in the encrypted session. It is followed by a MAIL From : and a RCPT To : command. Notice the response to the RCPT To : command. [3] The message is rejected with a "Relaying denied" error, even though it comes in the midst of an encrypted session. Clearly, TLS does not, by itself, authorize relaying. It is up to the sendmail administrator to decide when and how TLS authentication data should be used. One way to use TLS data is through the access database.
The ${verify} and ${cert_issuer} macros are used in the Local_Relay_Auth ruleset to authorize relaying. ${verify} contains OK when sendmail is able to verify the CA signature on the certificate received from a remote site. sendmail takes the distinguished name of the CA that signed the certificate from the Issuer field of the certificate and stores it in the macro ${cert_issuer} . If ${verify} equals OK , sendmail searches the access database for a CERTISSUER : entry that matches the ${cert_issuer} value. If a match is found, the action specified by the CERTISSUER : entry is taken. If no match is found, processing continues normally. Here is an example of adding a CERTISSUER : entry to the access database: # cd /etc/mail # cat >> access CERTISSUER:/C=US/ST=Maryland/L=Gaithersburg/O=WroteTheBook/CN=chef.wrotethebook.com/ Email=craig@chef.wrotethebook.com RELAY Ctrl-D # makemap hash access < access Given the access database entry just shown, a site that presents a certificate signed by /C=US/ST=Maryland/L=Gaithersburg/O=WroteTheBook/CN=chef.wrotethebook.com/Email=craig@chef.wrotethebook.com is granted relaying privileges. /C=US/ST=Maryland/L=Gaithersburg/O=WroteTheBook/CN=chef.wrotethebook.com/Email= craig@chef.wrotethebook.com is the complete DN of the private CA created in Recipe 8.1. Therefore, any host with a certificate signed by our private CA is allowed to relay mail. A DN can contain almost any character. Several characters , however, have special meaning to sendmail and others are difficult to enter into the access database. For these reasons, the DN stored in the access database uses a special format for storing nonprintable characters, the space, the tab, <, >, (, ), ", and +. These characters are stored as their hexadecimal values preceded by a plus. For example, a space becomes +20, a ( becomes +25. After adding the CERTISSUER : entry to the access database, rerun the test shown earlier in this section. The RCPT To : command now produces the following result: >>> RCPT To:<craig@crab.wrotethebook.com> 250 2.1.5 <craig@crab.wrotethebook.com>... Recipient ok The client is now granted relaying privileges because a CA that is trusted to authorize relaying signed the client's certificate. See AlsoRecipe 8.4 covers the STARTTLS sendmail configuration used as the basis for this recipe. The private CA mentioned in the discussion of this recipe is covered in Recipe 8.1. Chapter 3 discusses the traditional techniques used to grant relaying privileges, including the access database. The content of a certificate, including the Issuer field, is covered in this chapter's Introduction. The sendmail book discusses using the access database for STARTTLS in Section 10.10.8. |